Data Protection breach - what do I do?

[Watchkeys]

I rent out a vehicle via an agency. I turned down a booking, and the agent found another vehicle for the customer. I got a notification of a message having arrived re my booking, and discovered that I am party to the full conversation between the vehicle owner and the customer. This includes the customer's passport and driving licence details, proof of address, dates they'll be hiring the vehicle (so I know their house will be likely vacant), along with details from the vehicle owner about location of the vehicle, how to deactivate its immobiliser, and their address and other contact details.

There is a clause in the contract between vehicle owner and agency referring to the Data Protection Act, and a further clause regarding confidentiality, and the fact that personal information will not be shared for any other reason than to process the booking.

I feel that some authority needs to know about this, and I feel that other owners of vehicles, and potential customers, should know that their personal information isn't being kept personal. I don't want to use the agency any more, and think that others might make the same decision, but only if someone tells them it's happened. My information hasn't been shared, as far as I know, but how would I know?

What do I do, legally?

Thank you

Agreed. It would be quite strange to contact them.

Just alert the company op and then delete the data.

Assuming you aren't planning to rob their house or use their passport details then the harm is minimal.

Some of the info was shared in their messages, so it was right in front of me when I opened my inbox.

I'm not sure legal contracts should be brushed aside because of minimum wage admin people not doing their job properly or not being trained properly. I have been the minimum wage admin person, and have made mistakes myself, but I wouldn't expect any legal responsibilities to be waived due to that.

Assuming you aren't planning to rob their house or use their passport details then the harm is minimal

I've decided against this ;)

I don't think data protection should be based upon the decisions of individuals to do the right thing, though.

But I'd welcome the contact. Are our preferences relevant here?

What do you want to happen? GDPR focuses on ensuring good practice. Yes there can be large fines for breaches where individuals are impacted.
You could ask them to notify you of the breach report and threaten them with loss of your business. Not much else you can do.

But I'd welcome the contact. Are our preferences relevant here?

That contact (should it meet the threshold) should come from the data controller who has the legal basis for processing the data, NOT a random member of the public.

Is that the legal situation? I mean, is it illegal for me to contact them?

Thank you for taking the time to answer.

You should not use their data to now contact them. Delete it after you’ve informed the company. If you have reason to believe the company won’t act properly in response- contact ICO. That’s really all there is to it.

Thank you @Invisablewoman

I don't think data protection should be based upon the decisions of individuals to do the right thing, though.

Well it's not, but there are limitations to it. The company on realising there has been a breach should self report, and indeed they may have done so already. The first safety net is that most people would report the breach to the company, they then legally have processes and obligations they need to follow. If they don't then they can be reported to ICO, there are several points in the chain beyond one person 'doing the right thing'. You're getting way too invested though, report to the company sure, but delete the personal data of the stranger and definitely don't use it to contact them. You seem to be getting very over invested in this, any reason why?

@Watchkeys it's a good question, and one I don't feel able to answer with complete confidence but I will have a try, my quick interpretation would be yes it is. You holding that data is processing it, you have effectively made yourself a data controller, not a private person, within scope of GDPR which means you now need a legal basis for processing which you don't have (unlike when you are processing for personal means like an address book which is out of scope of legislation for example), so you could be prosecuted for incorrect handling of data. I base this on the fact that if we have a member of the public who refuses to delete data they should not have as a result of a data breach, we can remind them that it is illegal for them to continue to hold it and that they can be personally liable, so I don't see how this situation would be any different really (processing is essentially anything with data, holding it, sharing it, using it etc). That said, to be realistic, it is incredibly unlikely to actually have legal ramifications because...well common sense we know big crimes often aren't looked into never mind this, but you would potentially be leaving yourself vulnerable to an Article 82 compensation claim from the data subject if they weren't happy you contacted them.

You should have deleted immediately and deleted from your junk.

Do you want the person who sent it sacked? Or just the person's whose info was shared to know?

^This^

Contacting the other party is absolutely not on. If it were me, I’d think you were odd. If it was my parents for example it would really worry them unnecessarily. Just use the correct channels and delete the emails.

This is a breach of GDPR, I would report it to the information commissioners office, and notify the originator of the breach and your actions.

Contact the agency and inform them. They'll ask you to delete the email received - this is containment.

They'll then draft (or should) an internal
report about incident weighing up risks - so one email sent with details. They know who the recipient is (you) and I assume you'll agree to delete the email. This will determine whether ICO should be informed.

They'll only inform person whose details were unlawfully shared if there is a risk to them ie someone who is harassing them has inadvertently been given their home address.

If reported to ICO they'd want to see action taken for containment and risk to person was considered and appropriate action taken

It's not illegal because private individuals acting in a private capacity are not subject to the DPA 2018/GPDR. But it would be the act of a stalky nob.

Just tell the company and ask for their assurance that they will tell the affected customer FGS.

A stalky nob? Cheers!

@MissLucyEyelesbarrow she wouldn't be operating in a personal capacity though. The reason private individuals can be liable for GDPR personally is if they essentially start acting like a controller, so for example, an employee steals a database and starts using it for their own means, they become a data controller in their own right (a data controller can be an individual) and are now in scope of the legislation. Holding onto data that OP has no legal right to, no personal reason for holding (eg a friend's email address) means they are now operating beyond that of a private individual.

Hi OP, im a data protection lawyer, it's not illegal for you to contact the party directly. However as you have been told numerous times on this thread the correct position under the legislation is to delete the third party personal data you
Hold and contact the agency to report you have received it and deleted it. They will then follow their own processes to contact the third party/report to
ICO if deemed necessary. You should receive a response back from them and if you at
Not satisfied you can report to the ICO but that is not the process detailed
In the legislation.

Agree with @oneuponedown (not surprisingly!).

@oneuponedown how would you defend it being legal for her to contact the individual? She has a legal obligation to delete the data, so contacting the data subject could not be legal? How can you define her as operating as a private individual in this circumstance?

@oneuponedown sorry I ask that in a friendly debate kind of way, not aggressive forum argument kind of way!

Thank you @oneuponedown I appreciate your professional input.

I'm interested in this too. Good question!

Yep, ICO. If they don’t help get a cheap solicitor.